Results 1 to 9 of 9

Thread: Lockdown of outbound network traffic....

  1. #1

    Lockdown of outbound network traffic....

    I have a client who would like to use their ISA 2004 server to monitor and occasionally restrict all outbound traffic. They recently had an internal issue where an employee might have transmitted confidential information using Microsoft Messenger.

    Currently, they have their ISA server placed behind their PIX and proxy settings for Internet Explorer are pushed down via Active Directory GPO. The problem here is that the PIX is plugged directly into their switch to allow their users to connect to the internet effectively allowing them to uncheck the proxy settings and get where they need to (can't restrict them from doing so as most are allowed to use their laptops at home). Furthermore, restricting proxy settings does not change the way that IM clients connect as they usually have to be configured manually.

    Someone suggested that they pull the plug connecting the PIX and switch to force traffic to be directed through the ISA server (which would be dual-homed on the internal network and DMZ), but this presents another problem. The use a multitude of internet applications that are frequently changing and it's very possible that forcing them to work through a proxy will break them. On top of that, their c-levels frequently communicate with family members via IM and I'm not about to start blocking them

    Lastly, pulling the plug would break their VPN access as the only direct route in would be via the ISA server. I'm talking to their ISP at the moment, but none of their guys are coming up with anything so I figured that I'd take my question to you guys.

  2. #2
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    I'm confused, this seems awfully simmilar to an earlier post you made; http://www.antionline.com/showthread...2&pagenumber=1

    Could you simplify what you'r looking for?
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  3. #3
    Hear what you are saying here Infernon, but use of an application like IM in the hands of generally users who don't realise the ramifications of what they are doing is not really good. I understand the problems you face with that issue and don't envy the situation.

    From the situation you describe, I can't really see a technical solution that wouldn't be circumvented. It seems that the environment is fairly open and doesn't really conform to any standard operating environment.

    What I would recommend (and granted you may not be in a situation to do this):
    1. Enforce some levels of restrictions on accounts via group policy or third party application to force use of proxy settings and restrict certain application
    2. Develop a profile of the user groups that exist and determine what rights and applications they require to undertake their business
    3. Look at developing firm security policy to address transmission of confidential information. A tech solution alone is not going to be sufficient. If you plug one hole, the users will find another. Unless you can back it up with policy that potentially carries some punitive actions against offenders, you job is going to be hard.

    I realise this doesn't address your question fully, but I hope it helps you in the long run

  4. #4
    Nope, it's a completely different situation.

    Imagine that we currently have a "two-pipe" scenario where people are able to do anything that they please because of the second pipe. We'd like to force all traffic to be directed through only one pipe while allowing an alternate route for those who the rule shouldn't apply to.

    I suppose that I stressed ISA server too heavily in my question. This is more of a network configuration issue. I should have asked a better question by soliciting advice on locking down the outgoing traffic on your network, as in "how does everyone else do it?".

    Thanks for the quick response!

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    This is not foolproof, but..:
    assign static IPs to those who should be allowed through the pix,
    setup a object-group for these IP's on the pix,
    configure an ACL passing that object group out to the net but blocking everyone else...

    Or if you don't trust the static IPs part enough (understandable), you could setup web auth on the pix and configure radius to point to radius that you would setup on ISA (if I remember correctly, ISA does ship with a radius server) for example...


    Or, you could also use GPOs to prevent users from modifying the proxy settings in IE... I've used that technique before, not completly foolproof (won't prevent other browsers from being manually configured) either but it works fairly well if you have a lockedown environment...


    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    Is it possible to limit access by using MAC address authorization? In case that made no sense, I'm thinking of something similar to the static IP address but harder to spoof....one would have to actually be using the boss's computer (hopefully locked in his office or adequately password protected) to be allowed access though your "second tube".

    I don't do much networking, so this is more of a question of if it's possible than a suggestion.

  7. #7
    I don't know how cost effective this solution is for you, but it's saved my institution a lot of money over just normal websence and it has so many other functionalities. We use SCM (Secure Content Manager) by Computer Associates. I know you're thinking why does websense have anything to do with this question. Nothing, it's all about access and control.

    Windows only allows for a user to proxy once. I am assuming your average user is using Windows. You can use the SCM or some other proxy device on the inside network to filter all traffic you want going out and you don't have to worry about someone using an outside proxy because they are forced to proxy to the SCM to get out. The PIX has to be configured to only allow whatever ports you want outbound from the IP of the proxy device.

    Basically a user gets one proxy with Windows, what you're doing is causing all of whatever kind of traffic to do that proxy before it leaves your network now a user can't go setting their own. This device can then be set to stop certain traffic, set download thresholds and all kinds of useful things. We just happen to use ours in the place of Websense.

    You should still use your Group Policies to make users/computers Proxy to this device. If any of the L337 wannabees in your company try to change their internet explorer settings they will not be doing anything but keeping all of their web services from working.



    I apologize if I have left anything unclear in my thoughts there. I will try to explain anything you find unclear. Hope this at least gives you an idea
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  8. #8
    The ISA 2004 server is running as a logical proxy, rather than an inline system, in the current configuration. You would have to completely reconfigure this system to handle the dual-homed configuration and perform the type of traffic analysis that your client requested, and you would hope that the server will have the stuff to handle the increased traffic. However, this could create a DMZ between the ISA system and the PIX. The PIX can perform certain roles (as ammo mentioned), and the ISA box can perform some others.

    Depending on the type of VPN used, you can tunnel this through the PIX, DMZ and the ISA box, maintaining that type of connectivity.

    Of course, I would model this configuration in a test environment first, to make sure you are getting the kind of protections and traffic shaping you want and the client thinks they need. It isn't something you will be able to accomplish in a couple days.

    You may also want to examine some other content scanning solutions that can be placed between the PIX and switch, or on one side of the other of the PIX/switch package.

    This is a very difficult problem to resolve without making network access near impossible for the users. Content scanning can be a huge resource problem. Getting specific about some types of content to alert means that other types of content get ignored.

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by keezel
    Is it possible to limit access by using MAC address authorization? In case that made no sense, I'm thinking of something similar to the static IP address but harder to spoof....one would have to actually be using the boss's computer (hopefully locked in his office or adequately password protected) to be allowed access though your "second tube".

    I don't do much networking, so this is more of a question of if it's possible than a suggestion.
    Not a stupid suggestion/question, but it doesn't really add more security and has some inconveniants; let me explain for informational purposes:

    The ususal way of assigning static IPs to specific computers is to setup DHCP reservations; this means that a computer requesting an IP lease from the dhcp server, will be match to the reservations table with the source MAC address of the dhcp request. Right there you pretty much/kindof get that "MAC filtering"...

    That being said, MAC addresses are just about as easy to change/spoof than setting yourself a static IP. So unless you have anti MAC spoofing configurations setup on your network switches (etc), it remains a pretty weak measure...

    Also, if your network happens to be segmented in diffrent subnets and that the filtering gateway (the PIX in this case) is not the only routing device (ie: you have a router behind), the mac address that the PIX will see as source will be the PIX's, preventing you from doing filtering there...


    Ammo
    Credit travels up, blame travels down -- The Boss

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •